Risk assessment at Policy Exceptions

Go to solution
Kristoffer Pari
Tera Expert

‎09-25-2019 11:26 PM

Hi Community,

could someone explain why the "original" risk scores seems to be saved to related risks when Requesting Risk Assessment on a Policy Exception. 

There seems to be following fields (not visible on form) in the risk table that i can not figure out the usage for:

  • original_calculated_ale
  • original_calculated_score 
  • original_inherent_ale
  • original_inherent_aro
  • original_inherent_sle
  • original_residual_ale
  • original_residual_aro
  • original_residual_score 
  • original_residual_sle
  • original_response
  • original_score 

Than you in advance,

Kristoffer

0 Helpfuls
  • 2,144 Views
1 ACCEPTED SOLUTION

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎10-19-2019 02:37 PM

Risk Assessment within Policy Exception is a bit abstract, at first...

 

Before you begin, you must imagine that you are fairly mature with both Controls and Risks - else, this feature is not really going to be of significant value.

 

So lets envisage a Profile/Entity of London Data Centre

 

You have several risks:

- Fire

- Flood

- Airplane disaster

 

 

Linked to the Fire risk, you have several controls:

- Fire extinguishers

- Training

- Fire drills

- Sprinklers

- Posters

 

 

Now, perhaps at this site - you have realised that the sprinklers are not working but you are due to repair them as part of a renovation project over the next 3 months. You need temporary relief on this control. Thus, Policy Exception (PER) comes into play. 

Perhaps an Issue is raised you cannot remediate, you need to accept the issue. Now we have a perfect entry point into PER.

The issue is directly related to a Control, which is tied to a Control Objective (nee Policy Statement).

 

upon selecting this issue, it populates the statement and also populates the impacted controls related list...

this then displays in the risk section, all risks which are associated with the control (Fire)

and then, in the mitigating controls related list you will see the OTHER controls for that risk, which provide protection against that risk.

 

great, so you can see the coverage. but you want to utilise risk assessment within PER, what does it do?

 

because the risk of Fire was assessed and scored based on ALL controls being implemented; or rather those controls are mitigating this risk - now we are asking for temporary relief, this means the control is not really implemented... we should probably re-assess the risk, taking account of the fact that this risk no longer has full coverage....

it will snapshot the scores as it stands, and then be re-assessed for the duration of the PER.

once PER is closed, it reverts back to original scores....

 

for me there are some nuances in this lifecycle, such as automated triggering of assessment process which perhaps should be refined. and this topic is very broad such that it is rarely covered even in the CIS exam.

 

I have a lot of conversations around this topic, and rarely are organisations quite ready to adopt it in full. But Risk Assessment in the context of PER, is all about assessing the existing Risks based on the approved gap in coverage, which is the net effect of the PER being approved. It makes total sense, but requires a fair amount of maturity upfront to be effective.

View solution in original post

15 REPLIES 15

Go to solution
PrudeAnurag
ServiceNow Employee
ServiceNow Employee

‎09-26-2019 01:50 AM

Hello Kristoffer,

 

This seems to be initial placeholder to store the original values which are defined when the risk are initially defined before following the whole lifecycle. 

RiskResponseBase : This script include is responsible for all the actions that happens on the fields listed by you.

 

Best Regards,

Anurag

Go to solution
Kristoffer Pari
Tera Expert

‎09-26-2019 11:09 PM

To be more specific, there are these two Business rules that are doing what i tried to explain in the initial post:

"Save risk original response and scores" - Stores the related risk scores to the "original" fields.

"Restore risk response and scores" - Restores the visible score fields from the "original" fields.

 

So what i'm interested in, why this is done? Can not find any feature that would update the visible risk score fields in between, unless it's meant to be updated manually.

Best Regards,

Kristoffer 

0 Helpfuls

Go to solution
PrudeAnurag
ServiceNow Employee
ServiceNow Employee
In response to Kristoffer Pari

‎09-30-2019 04:17 PM

Hello Kristoffer, Below is what I understand from Risk Scoring. Best Practice: Do not modify calculations. Note: If either the Control Failure Factor or the Indicator Failure Factor is null, then the Calculated Risk Factor will be equal to the one that is present. In that case, a single failure factor will NOT be divided by two to derive the Calculated Risk Factor. P.S: The value do get automatically updated it seems. Best Regards, Anurag
0 Helpfuls

Go to solution
Kristoffer Pari
Tera Expert
In response to PrudeAnurag

‎09-30-2019 11:09 PM

Hi PrudeAnurag,

thank you for your reply. Yes, the Risk scores does not seem to automatically update from "Policy Exception" Risk Assesment, that is why i'm wondering why this OOB feature exists that stores the risk scores to these "original_*" fields for the related risks.

Best Regards,

Kristoffer

0 Helpfuls